Recently two sites I've built on Wordpress were hacked. Cleaning these sites is no picnic. There are numerous blog entries on securing WordPress. Though they all say different things which makes me think that there is no consensus/best practice on how to do this.

Are there other platforms that are more secure?Do you have a successful formula for securing WordPress installs?

I used to use a CMS that I built myself. It doesn't have all the bells and whistles that WordPress has, but it is easy to configure and does most of what I need it to do. I've set up over 200 sites with it, and it never got hacked. Security through obscurity...

cheesedude
—
2013-01-21T19:24:25Z —
#2

eruna said:

Recently two sites I've built on Wordpress were hacked.

Welcome to the club.

eruna said:

Cleaning these sites is no picnic.

It takes a little time, but it isn't too bad. It's more a personal violation, almost like getting your home burglarized I would imagine.

General tips for other hacking victims who may read this: Delete all files under your web root folder (for your main site and any addon sites because hackers like to hide backdoors to regain access if the main access point is found), restore them with copies you know are clean, and check the posts table for any iframes or javascript hackers may have embedded in posts. Check your users table to make sure no unauthorized users were added. Also, change all your passwords, especially your database passwords and if you want to go further your hosting control panel password as well.

eruna said:

There are numerous blog entries on securing WordPress. Though they all say different things which makes me think that there is no consensus/best practice on how to do this.

I can't speak about any so-called security plugins because I haven't used them, but I would think that if it were possible to make Wordpress more secure other than the vulnerabilities as the result of coding errors, that the Wordpress folks would have already incorporated them.

Have you determined that the vulnerability was in Wordpress and not in another area? Were you using an outdated version of Wordpress? That is usually the case when someone gets hacked, as it was in my case.

eruna said:

Are there other platforms that are more secure?Do you have a successful formula for securing WordPress installs?

I had an outdated Joomla installation hacked that I was just using for evaluation purposes and forgot about. There is currently a security alert on Drupal. You can read Wordpress' recommendations if you haven't already.

I used to use a CMS that I built myself. It doesn't have all the bells and whistles that WordPress has, but it is easy to configure and does most of what I need it to do. I've set up over 200 sites with it, and it never got hacked. Security through obscurity...

I have never had any of my own code hacked, either, but Wordpress is much more complicated than anything I have done. Open source is a double-edged sword. You get thousands of hours of work writing code provided for free, but hackers also have access to that code. And because open source scripts are used by a lot of people, if a vulnerability is found hackers are quick to take advantage of it because of the large scale damage they can do.

Getting hacked is one of the risks of using open source and if the risk is too great it is best to write your own code.

dvduval
—
2013-01-21T19:28:15Z —
#3

Do a little search of Sitepoint for "wordpress" and "hacked" and it is pretty obvious the track record is not good. I don't use wordpress unless the customer insists, and if I do they absolutely must be on a payment plan that involves paying me to keep their blog updated.

awasson
—
2013-01-21T20:18:49Z —
#4

Yes Wordpress does have a poor record on security and to make matters worse, there are many WP sites that have gone un-patched which leaves them and any other site on their serve vulnerable to attack.

Last week I saw the aftermath first hand of one such hack where the hackers got into a shared hosting account via an un-updated WP site and then hacked other sites on the server. One site that was hacked was a Drupal site under my care but the fix was simple. After the server was secured I replace the file system, leaving my themes and website 'sites' directories alone. We scanned the 'sites' directory and removed the one file the hackers dropped in, sent Google a request to rescan it and we were back up and running. I had a monster headache at the end of the day but we came through relatively unscathed. I don't know the status of the WP site.

So far, that's the only Drupal site I've had hacked in six years and in this case it was the result of being on shared hosting with a vulnerable site and not the fault of Drupal itself.

Any CMS will be vulnerable, the way to guard against it is to find a CMS with an active security team and do security updates as soon as they come in. I receive emails from every site I manage when updates are available.

Andrew

felgall
—
2013-01-21T20:55:12Z —
#5

The WordPress plugin from http://bit51.com/software/better-wp-security/ allows you to apply a large range of security measures to your Wordpress site and also logs when anything happens that might be considered to be an attempt to breach security.

eruna
—
2013-01-22T01:14:36Z —
#6

Both hacked sites were completely up to date. One was also on a server with Magento It could have come from there.One of the sites had a handful of plugins which could be responsible for the vulnerability. I'm experimenting by turning off all the plugins and adding them back in one by one a week a part. This is not a very graceful solution because the plugins perform important functions on the site.Are there any CMS systems that are more secure than Wordpress with a similar weight?

awasson
—
2013-01-22T01:45:33Z —
#7

What sort of hack occurred? Was it a mainpage rewrite hack, malware hack or something else?

Is it possible that the server was hacked rather than the WordPress site being hacked?

felgall
—
2013-01-22T06:10:55Z —
#8

This is certainly starting to sound like it is more likely a server hack rather than WordPress. With the better_wp_security plugin installed WordPress is as secure as anything you are likely to find.

EnderMB
—
2013-01-22T11:46:50Z —
#9

eruna said:

Are there other platforms that are more secure?

There are numerous platforms that are more secure than WordPress. WP has a poor track record for security issues, and although that is to be expected due to its popularity with entry-level developers a number of these bugs tend to be from poor security practices in the code and issues with PHP.

If it's a genuine problem for you I would move to a real CMS, something like Concrete5 or Drupal if you are limited to PHP. Otherwise, there are a number of good Ruby and Python solutions, as well as .NET solutions in Umbraco.

Pullo
—
2013-01-22T14:50:45Z —
#10

[ot]

ULTiMATE said:

Otherwise, there are a number of good Ruby and Python solutions, as well as .NET solutions in Umbraco.

Do you have any experience with anything written in Ruby? Is there a Ruby-based CMS you could recommend?[/ot]

EnderMB
—
2013-01-22T16:14:35Z —
#11

[ot]

Pullo said:

Do you have any experience with anything written in Ruby? Is there a Ruby-based CMS you could recommend?

I'm not a huge fan of the Rails community, so any work I've done with Rails has been done with a solemn look on my face. It's a nice language, but it's not as polished as Python and nowhere near as usable as PHP.

If I were to recommend a Ruby CMS it would have to be Refinery CMS. It's a decent CMS and if you're using Ruby it's the best choice you've got. Despite all its feather-flashing, the Ruby community is yet to develop a killer script, or even a renowned forum or blog script, let alone a top-of-the-class CMS.

If platform and language weren't a problem I'd always back .NET over any other language. Python and Django in particular has some fantastic scripts, but its enterprise offerings and Umbraco in the open-source world makes .NET just far more proven to handle websites and be good to develop on.[/ot]

Pullo
—
2013-01-23T14:03:01Z —
#12

Off Topic:

Thanks ULTiMATE. I'll have a look at Refinery. I found a good write up of it on Ruby Source

amitgupta
—
2013-02-07T03:03:30Z —
#13

[ot]

ULTiMATE said:

I'm not a huge fan of the Rails community, so any work I've done with Rails has been done with a solemn look on my face. It's a nice language, but it's not as polished as Python and nowhere near as usable as PHP.

Rails != Ruby & Ruby is a language, Rails isn't. [/ot]

amitgupta
—
2013-02-07T03:20:12Z —
#14

In my experience, a WordPress site gets hacked on application level because either its an older version (with a public security flaw that has been fixed in newer version) or because of a flaw in a plugin or theme. Since plugins and themes are just PHP scripts & can do pretty much what they want, can't say the security flaws are WordPress' fault. If it was so bad at security, it wouldn't be running on a platform like wordpress.com, now would it?

Now how you can avoid the nastiness of getting hacked, here's what I advise:

Install plugins only from the official plugin repo on wordpress.org. If you have to source your plugins from elsewhere, don't take them on faith, you don't know what's in the code unless you go through it. Bad programmers can be anywhere, even on some sites which sell "premium" plugins. I've seen some yucky code even on plugins being sold for $30+.

#3 is valid for themes as well, unless you make your own. I've actually seen some shady sites offering downloads of some popular free themes. What I found out was that those themes had been altered and adware/malware added to them.

Follow these and you should be ok. :tup:

awasson
—
2013-02-07T07:29:28Z —
#15

Yeah, I think the problem with WP security is that with the low barrier to entry, WP has produced a lot of "chop-shop" developers who couldn't care less about what happens after the site leaves their shop and the result is a massive number of sites that just don't get maintained or updated. The owners figure the site is good to go and don't know anything about the needs to maintain them.

Edit: That said, I'm pretty sure the OP's server was hacked and this instance was probably not because of a WP vulnerability. I have heard some mention of a WP/jQuery injection issue but only rumor and no specifics I could substantiate. Just a frustrated web host complaining about it.

EnderMB
—
2013-02-07T12:38:04Z —
#16

[ot]

asp_funda said:

Rails != Ruby & Ruby is a language, Rails isn't.

Words cannot describe my shame. [/ot]

amitgupta
—
2013-02-07T13:48:43Z —
#17

[ot]

ULTiMATE said:

Words cannot describe my shame.

lol [/ot]

amitgupta
—
2013-02-26T19:02:42Z —
#18

awasson said:

Yeah, I think the problem with WP security is that with the low barrier to entry, WP has produced a lot of "chop-shop" developers who couldn't care less about what happens after the site leaves their shop and the result is a massive number of sites that just don't get maintained or updated. The owners figure the site is good to go and don't know anything about the needs to maintain them.

I don't see how is that a problem with WordPress' security? That is a problem with the site's security which employed such developer(s) & such a security problem can happen whether WordPress is being used or not.

WordPress' ease of use can't be held against it as its security flaw.

awasson
—
2013-02-26T21:07:40Z —
#19

asp_funda said:

I don't see how is that a problem with WordPress' security? That is a problem with the site's security which employed such developer(s) & such a security problem can happen whether WordPress is being used or not.

WordPress' ease of use can't be held against it as its security flaw.

Well, it's not just that the sites aren't being patched, it's that historically WP has had more vulnerabilities AND many vulnerable sites aren't being patched.

You might not see that as being fair but hackers don't care about the why, they just use the vulnerability and go about their business.